fivedev/five - five - fivego gitea

Author SHA1 Message Date

Author	SHA1	Message	Date
CharlesKWON	3b2dd365ad	feat(pgserver): Phase 6 — TLS + source-IP allowlist Closes the v1.0 hardening surface: encrypted transport + a coarse pg_hba.conf-equivalent CIDR allowlist. Together with the Phase 5 auth flows, this is the security-baseline an internet- exposed PostgreSQL-wire server needs. TLS subsystem ------------- `hbrtl/pgserver/tls.go`: * `LoadTLSFromFiles(certPath, keyPath)` — cert/key PEM pair load with tls.VersionTLS12 floor. Installed as the pending config that the next PG_SERVER_START consumes (matches PG's "must-set-before-pg_ctl-start" semantics). * `GenerateSelfSignedCert(certPath, keyPath, hostname)` — ECDSA P-256 + 365-day validity + DNSNames+IPAddresses SANs covering the hostname plus 127.0.0.1 / ::1. Dev/CI helper; production ships a CA-signed cert via the loader. * `upgradeToTLS()` wraps `tls.Server(conn, cfg).Handshake()` so pgproto3 reads plaintext on top of the encrypted stream. Source-IP allowlist ------------------- * `AllowIP(cidr)` parses a CIDR and appends it to a per-server list snapshotted at PG_SERVER_START time. * `peerAllowed(remote, list)` runs at accept() — empty list → accept any, otherwise drop connections whose RemoteAddr falls outside every registered range. * `ClearAllowList()` resets to allow-all. Coarse but compatible with the "host alice 10.0.0.0/8 md5"-style entries every pg_hba.conf author already knows; a fuller per- role/per-database matcher is Phase 6.1+. PRG bindings (register.go) -------------------------- New HB_FUNCs, all idempotent and composable in any order before PG_SERVER_START: pg_tls_load( certPath, keyPath ) → .T. \| cErr pg_tls_self_signed( cert, key, hostname ) → .T. \| cErr pg_allow_ip( cidr ) → .T. \| cErr pg_clear_allowlist() → NIL Bootstrap idiom: PROCEDURE Main() PG_TLS_SELF_SIGNED( "/tmp/cert.pem", "/tmp/key.pem", "localhost" ) PG_ADD_ROLE( "alice", "swordfish" ) PG_ALLOW_IP( "127.0.0.1/32" ) PG_ALLOW_IP( "10.0.0.0/8" ) PG_SERVER_START( ":5432", "md5" ) The startup banner now reports TLS + allowlist state so the PRG operator sees the security posture at a glance: pgserver: listening on :5432 (auth=md5 tls=on allowlist=2) Verification ------------ End-to-end via real psql against a self-signed server: $ PGPASSWORD=swordfish psql \ "postgres://alice@127.0.0.1:15432/alice?sslmode=require" \ -c "SELECT 'tls-works' AS x" -At tls-works $ # off-allowlist source (192.168.x.x mock) → connection refused $ # (verified manually; psql can't easily spoof src IP for CI) Integration script gates expanded to 6/6: PASS Simple Query PASS Multi-statement Simple Query PASS Transaction control PASS MD5 auth: wrong password rejected PASS MD5 auth: correct password accepted PASS TLS handshake + MD5 auth via sslmode=require All six release gates green: go test ./... ✓ FiveSql2 SQL:1999 43/43 ✓ Harbour compat 56/56 ✓ std.ch 17/17 ✓ FRB 7/7 ✓ pgserver integration 6/6 ✓ Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-18 14:07:19 +09:00
CharlesKWON	d98f5e1767	feat(pgserver): PostgreSQL-wire MVP — psql can SELECT from FiveSql2 First end-to-end working version of the PostgreSQL-wire-compatible TCP server frontend. A standard `psql` client now connects, runs `SELECT * FROM employees`, and gets back a properly typed result set rendered by psql with the right column alignment: ID \| NAME \| SALARY ----+----------------------+---------- 1 \| Alice \| 50000.00 2 \| Bob \| 42000.50 3 \| Cho \| 77500.00 This is the Phase 2 deliverable from the approved plan at /Users/charleskwon/.claude/plans/compiled-launching-shore.md. Builds on the session-state refactor in `93cf5c8` — each connection gets its own TSqlSession on the PRG side via the new PG_NEW_SESSION HB_FUNC, so concurrent psql clients won't share transaction logs or plan caches. Scope ----- v1.0 MVP: Simple Query only, trust auth, no TLS yet. SELECT works against the full FiveSql2 surface (CTEs, window functions, JOINs, aggregates). DML + per-session transactions are Phase 3, extended protocol is Phase 4, auth + TLS are Phases 5/6. Architecture ------------ psql/pgx/JDBC ──TCP:5432──▶ pgserver.Listener │ accept() ▼ go handleConn(net.Conn) ┌─────────────────────────────┐ │ Session goroutine │ │ 1. SSLRequest peek │ │ 2. StartupMessage │ │ 3. AuthenticationOk (trust) │ │ 4. ParameterStatus×7 │ │ 5. BackendKeyData │ │ 6. ReadyForQuery('I') │ │ 7. loop: Receive() → │ │ dispatchSimpleQuery → │ │ hbrt.Thread.Function( │ │ FIVE_SQL,sql,...,sess) │ │ emit RowDescription │ │ emit DataRow×N │ │ emit CommandComplete │ │ emit ReadyForQuery │ └─────────────────────────────┘ One goroutine per connection, each owning its own hbrt.Thread and TSqlSession instance. Uses the existing audit-fixed NewThread() (`cde8673`) so statics + WA factory propagate. New files (hbrtl/pgserver/) --------------------------- server.go — Config, Server, Serve loop with MaxConnections gate via semaphore, Close drains in-flight sessions. * session.go — full lifecycle: SSLRequest peek + prefixedConn byte-injection trick for StartupMessage, ParameterStatus broadcast (server_version "14.0 (FiveSql2)" so pgx negotiates), BackendKeyData (random pid+secret per session, no CancelRequest yet), query loop dispatching only Simple Query in v1.0 with a loud "0A000 not supported" for Extended messages. * dispatch.go — runSQL invokes FIVE_SQL via PushSymbol+Function, unpacks the engine's `{aFieldNames, aRows}` envelope or the `{{"__error__"}, {{nCode, cMsg, cSQL}}}` error shape, emits RowDescription with text-format OIDs and DataRow per row. * typemap.go — pgTypeFor() picks INT4 / INT8 / NUMERIC / TEXT / DATE / TIMESTAMP / BOOL by sampling the first row's value type; encodeText() formats each cell, returning nil-slice for NULL (the PG length=-1 convention). * errmap.go — sqlStateFor() maps FiveSql2 SQL_ERR_* codes to canonical PG SQLSTATEs (42601/42P01/42703/42804/23505/23514/ 23503/25P02/42501/02000/XX000). * auth.go — trust mode in v1.0; password/MD5/SCRAM lands Phase 5 but the dispatch sentinel is already in place. * tls.go — upgradeToTLS stub for SSLRequest handling; the byte- ordering is already wired so Phase 6 just plugs in tls.Config. * register.go — package init() registers pg_server_start / pg_server_stop HB_FUNCs. Importing the package (done from hbrtl/register.go via blank import) is enough to enable them. * pgserver_test.go — unit tests for encodeText (numeric, string, NIL), pgTypeFor (OID dispatch), sqlStateFor (error mapping), commandTagFor (SELECT/INSERT/UPDATE/DELETE/BEGIN/COMMIT). Other changes ------------- * _FiveSql2/src/TSqlSession.prg — added PG_NEW_SESSION() factory used by the Go dispatcher to allocate a per-connection session bypassing the embedded process default. * hbrtl/register.go — blank-import five/hbrtl/pgserver so its init() fires and the HB_FUNCs land in the global dynamic-func table for VM symbol lookup. * go.mod / go.sum — github.com/jackc/pgx/v5 v5.9.2 (pgproto3 subpackage). MIT license. Same library pgx itself uses, so protocol coverage matches the de-facto Go PG ecosystem. Verification ------------ $ pg_server_start(15432, "trust") /* PRG one-liner / $ psql -h 127.0.0.1 -p 15432 -U fiveuser -c 'SELECT FROM employees' → 3 rows rendered correctly by psql (ID as INT4, NAME as TEXT, SALARY as NUMERIC(10,2) with 2 decimal places) All six release gates green: go test ./... ✓ (incl. new hbrtl/pgserver tests) FiveSql2 SQL:1999 43/43 ✓ Harbour compat 56/56 ✓ std.ch 17/17 ✓ FRB 7/7 ✓ examples 65/71 ✓ (unchanged baseline) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-16 18:40:32 +09:00

3b2dd365ad

feat(pgserver): Phase 6 — TLS + source-IP allowlist

Closes the v1.0 hardening surface: encrypted transport + a
coarse pg_hba.conf-equivalent CIDR allowlist. Together with the
Phase 5 auth flows, this is the security-baseline an internet-
exposed PostgreSQL-wire server needs.

TLS subsystem
-------------

`hbrtl/pgserver/tls.go`:

* `LoadTLSFromFiles(certPath, keyPath)` — cert/key PEM pair load
  with tls.VersionTLS12 floor. Installed as the *pending* config
  that the next PG_SERVER_START consumes (matches PG's
  "must-set-before-pg_ctl-start" semantics).

* `GenerateSelfSignedCert(certPath, keyPath, hostname)` — ECDSA
  P-256 + 365-day validity + DNSNames+IPAddresses SANs covering
  the hostname plus 127.0.0.1 / ::1. Dev/CI helper; production
  ships a CA-signed cert via the loader.

* `upgradeToTLS()` wraps `tls.Server(conn, cfg).Handshake()` so
  pgproto3 reads plaintext on top of the encrypted stream.

Source-IP allowlist
-------------------

* `AllowIP(cidr)` parses a CIDR and appends it to a per-server
  list snapshotted at PG_SERVER_START time.
* `peerAllowed(remote, list)` runs at accept() — empty list →
  accept any, otherwise drop connections whose RemoteAddr falls
  outside every registered range.
* `ClearAllowList()` resets to allow-all.

Coarse but compatible with the "host alice 10.0.0.0/8 md5"-style
entries every pg_hba.conf author already knows; a fuller per-
role/per-database matcher is Phase 6.1+.

PRG bindings (register.go)
--------------------------

New HB_FUNCs, all idempotent and composable in any order before
PG_SERVER_START:

  pg_tls_load( certPath, keyPath )           → .T. | cErr
  pg_tls_self_signed( cert, key, hostname )  → .T. | cErr
  pg_allow_ip( cidr )                        → .T. | cErr
  pg_clear_allowlist()                       → NIL

Bootstrap idiom:

  PROCEDURE Main()
     PG_TLS_SELF_SIGNED( "/tmp/cert.pem", "/tmp/key.pem", "localhost" )
     PG_ADD_ROLE( "alice", "swordfish" )
     PG_ALLOW_IP( "127.0.0.1/32" )
     PG_ALLOW_IP( "10.0.0.0/8" )
     PG_SERVER_START( ":5432", "md5" )

The startup banner now reports TLS + allowlist state so the PRG
operator sees the security posture at a glance:

  pgserver: listening on :5432 (auth=md5 tls=on allowlist=2)

Verification
------------

End-to-end via real psql against a self-signed server:

  $ PGPASSWORD=swordfish psql \
        "postgres://alice@127.0.0.1:15432/alice?sslmode=require" \
        -c "SELECT 'tls-works' AS x" -At
  tls-works

  $ # off-allowlist source (192.168.x.x mock) → connection refused
  $ # (verified manually; psql can't easily spoof src IP for CI)

Integration script gates expanded to 6/6:
  PASS  Simple Query
  PASS  Multi-statement Simple Query
  PASS  Transaction control
  PASS  MD5 auth: wrong password rejected
  PASS  MD5 auth: correct password accepted
  PASS  TLS handshake + MD5 auth via sslmode=require

All six release gates green:
  go test ./...               ✓
  FiveSql2 SQL:1999 43/43     ✓
  Harbour compat 56/56        ✓
  std.ch 17/17                ✓
  FRB 7/7                     ✓
  pgserver integration 6/6    ✓

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-18 14:07:19 +09:00

CharlesKWON

d98f5e1767

feat(pgserver): PostgreSQL-wire MVP — psql can SELECT from FiveSql2

First end-to-end working version of the PostgreSQL-wire-compatible
TCP server frontend. A standard `psql` client now connects, runs
`SELECT * FROM employees`, and gets back a properly typed result
set rendered by psql with the right column alignment:

    ID |         NAME         |  SALARY
    ----+----------------------+----------
      1 | Alice                | 50000.00
      2 | Bob                  | 42000.50
      3 | Cho                  | 77500.00

This is the Phase 2 deliverable from the approved plan at
/Users/charleskwon/.claude/plans/compiled-launching-shore.md.
Builds on the session-state refactor in 93cf5c8 — each connection
gets its own TSqlSession on the PRG side via the new PG_NEW_SESSION
HB_FUNC, so concurrent psql clients won't share transaction logs
or plan caches.

Scope
-----

v1.0 MVP: Simple Query only, trust auth, no TLS yet. SELECT works
against the full FiveSql2 surface (CTEs, window functions, JOINs,
aggregates). DML + per-session transactions are Phase 3, extended
protocol is Phase 4, auth + TLS are Phases 5/6.

Architecture
------------

  psql/pgx/JDBC ──TCP:5432──▶ pgserver.Listener
                                  │ accept()
                                  ▼ go handleConn(net.Conn)
                             ┌─────────────────────────────┐
                             │ Session goroutine            │
                             │  1. SSLRequest peek          │
                             │  2. StartupMessage           │
                             │  3. AuthenticationOk (trust) │
                             │  4. ParameterStatus×7        │
                             │  5. BackendKeyData           │
                             │  6. ReadyForQuery('I')       │
                             │  7. loop: Receive() →        │
                             │     dispatchSimpleQuery →    │
                             │     hbrt.Thread.Function(    │
                             │       FIVE_SQL,sql,...,sess) │
                             │     emit RowDescription      │
                             │     emit DataRow×N           │
                             │     emit CommandComplete     │
                             │     emit ReadyForQuery       │
                             └─────────────────────────────┘

One goroutine per connection, each owning its own *hbrt.Thread and
TSqlSession instance. Uses the existing audit-fixed NewThread()
(cde8673) so statics + WA factory propagate.

New files (hbrtl/pgserver/)
---------------------------

* server.go — Config, Server, Serve loop with MaxConnections gate
  via semaphore, Close drains in-flight sessions.
* session.go — full lifecycle: SSLRequest peek + prefixedConn
  byte-injection trick for StartupMessage, ParameterStatus
  broadcast (server_version "14.0 (FiveSql2)" so pgx negotiates),
  BackendKeyData (random pid+secret per session, no CancelRequest
  yet), query loop dispatching only Simple Query in v1.0 with a
  loud "0A000 not supported" for Extended messages.
* dispatch.go — runSQL invokes FIVE_SQL via PushSymbol+Function,
  unpacks the engine's `{aFieldNames, aRows}` envelope or the
  `{{"__error__"}, {{nCode, cMsg, cSQL}}}` error shape, emits
  RowDescription with text-format OIDs and DataRow per row.
* typemap.go — pgTypeFor() picks INT4 / INT8 / NUMERIC / TEXT /
  DATE / TIMESTAMP / BOOL by sampling the first row's value type;
  encodeText() formats each cell, returning nil-slice for NULL
  (the PG length=-1 convention).
* errmap.go — sqlStateFor() maps FiveSql2 SQL_ERR_* codes to
  canonical PG SQLSTATEs (42601/42P01/42703/42804/23505/23514/
  23503/25P02/42501/02000/XX000).
* auth.go — trust mode in v1.0; password/MD5/SCRAM lands Phase 5
  but the dispatch sentinel is already in place.
* tls.go — upgradeToTLS stub for SSLRequest handling; the byte-
  ordering is already wired so Phase 6 just plugs in tls.Config.
* register.go — package init() registers pg_server_start /
  pg_server_stop HB_FUNCs. Importing the package (done from
  hbrtl/register.go via blank import) is enough to enable them.
* pgserver_test.go — unit tests for encodeText (numeric, string,
  NIL), pgTypeFor (OID dispatch), sqlStateFor (error mapping),
  commandTagFor (SELECT/INSERT/UPDATE/DELETE/BEGIN/COMMIT).

Other changes
-------------

* _FiveSql2/src/TSqlSession.prg — added PG_NEW_SESSION() factory
  used by the Go dispatcher to allocate a per-connection session
  bypassing the embedded process default.
* hbrtl/register.go — blank-import five/hbrtl/pgserver so its
  init() fires and the HB_FUNCs land in the global dynamic-func
  table for VM symbol lookup.
* go.mod / go.sum — github.com/jackc/pgx/v5 v5.9.2 (pgproto3
  subpackage). MIT license. Same library pgx itself uses, so
  protocol coverage matches the de-facto Go PG ecosystem.

Verification
------------

  $ pg_server_start(15432, "trust")     /* PRG one-liner */
  $ psql -h 127.0.0.1 -p 15432 -U fiveuser -c 'SELECT * FROM employees'
  → 3 rows rendered correctly by psql (ID as INT4, NAME as TEXT,
    SALARY as NUMERIC(10,2) with 2 decimal places)

All six release gates green:
  go test ./...               ✓ (incl. new hbrtl/pgserver tests)
  FiveSql2 SQL:1999 43/43     ✓
  Harbour compat 56/56        ✓
  std.ch 17/17                ✓
  FRB 7/7                     ✓
  examples 65/71              ✓ (unchanged baseline)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-16 18:40:32 +09:00

2 Commits